Focus

Next-Generation Firewall

Export Certificates and Keys

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Export Files (API)

Export Technical Support Data

Export Certificates and Keys

Palo Alto Networks devices can utilize digital certificates containing cryptographic keys and signatures for secure communications. These certificates authenticate users (Authentication Portal, MFA), devices (GlobalProtect/IPSec VPNs), validate EDLs, secure User-ID agent connections, and enable SSL traffic decryption. The XML API supports working with these certificates programatically. The API supports both default system certificates and custom certificates, allowing comprehensive visibility into certificate deployment across distributed Palo Alto Networks environments.

API-based certificate export functionality provides:

Automated extraction of certificate metadata (validity periods, key sizes, algorithms)
Bulk export capabilities for certificate inventory management
Structured data format (JSON/XML) for integration with PKI systems
Monitoring of certificate expiration status across device groups
Export filters by certificate type, usage, or expiration threshold
Inclusion of certificate revocation status and CRL information

Use the following procedure to export certificates and keys.

To export certificates and keys, specify query parameterscertificate-name,format, andpassphrase:
```
https://<firewall>/api/?key=apikey&type=export&category=<certificate>
							&certificate-name=<certificate_name>
							&passphrase=<passphrase>
							&format=<pkcs12><pem><pkcs10>
							&include-key=<yes><no>&vsys=<vsys>
							<omit this parameter to import it into a shared location>
					
```
- certificate-name—name of the certificate object on the firewall
- passphrase—required when including the certificate key
- format—certificate format:pkcs12,pem, orpkcs10
- include-key—yes or no parameter to include or exclude the key
- vsys—virtual system where the certificate object is used. Ignore this parameter if the certificate is a shared object.
You can use the example above to export a certificate signing request (CSR). If you do so, then specify the following two parameters as shown:
- format—pkcs10
- include-key—no

Confirm that the XML response includes the certificate:

Export Files (API)

Export Technical Support Data

Next-Generation Firewall Docs

Export Certificates and Keys

Next-Generation Firewall Docs

Export Certificates and Keys

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner